Manualshelf

Internet Services Delta Manual for HP-UX 11i Version 1.6

ManualsBrandsHP ManualsNetwork HardwareHP General IO Connectivity
31323334353637383940
If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to
the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the
global options block is used as the default.
The request-ixfr clause determines whether the local server acting as a slave will request
incremental zone transfers from the given remote server, a master.
If set to yes, incremental transfer will be requested from the given remote server (master). If set to
no, all transfers to the remote server will be non-incremental. If not set, the value of the
request-ixfr option in the global options block is used as the default.
DNSSEC
Authentication of DNS information in a zone is possible through the DNS Security (DNSSEC)
extensions defined in RFC 2535. In order to set up a DNSSEC secure zone, there are a series of
steps, which need to be followed (explained below). BIND 9.2.0 ships with several tools that are
used for this process.
There must be communication with administrators of the parent and/or child zone to transmit keys
and signatures. The parent zone for a DNSSEC-capable resolver to trust its data must indicate a
zone's security status. For other servers to trust data in this zone, they must either be statically
configured with this zone's zone key or the zone key of another zone above this on in the DNS
tree.
Validation for wild card records in secure zones is not fully supported. In particular, "a name
does not exist" response will validate successfully even if it does not contain the NXT records
to prove the existence of a matching wild card.
Generating Keys
The /usr/bin/dnssec-keygen program is used to generate keys.
A sample directive to invoke the dnssec-keygen program to generate a 768-bit DSA key for the
domain example.com, is as shown below. The "-a" option is used to specify the encryption
algorithm. The "-b' option is used to specify the key size and the "-n" option is used to specify the
nametype which can be a ZONE, HOST, ENTITY or USER.
NOTE: Refer to the dnssec-keygen(1) man page for a detailed description of all supported
functions.
# /usr/bin/dnssec-keygen -a DSA -b 768 -n ZONE example.com
The above command will generate the key identification string "Kexample.com.+003+26160"
indicating a DSA key with identifier 26160.
Creating a Keyset
The /usr/bin/dnssec-makekeyset program is used to create a keyset from one or more
keys.
A sample directive to invoke the dnssec-makekeyset for the key "Kexample.com.+003+26160"
(generated by the dnssec-keygen program) is as shown below.
The option "-t" is used to specify the TTL value that will be assigned to the assembled KEY and
SIG records in the output file. The options "-s" and "-e" are used to indicate the start-time and
end-time or the expiry date for the SIG records respectively.
NOTE: Refer to the dnssec-makekeyset (1) man page for a detailed description of all
supported options.
# /usr/bin/dnssec-makekeyset -t 86400 -s 20007011200000 -e +2592000
Kexample.com+003+26160
The output of this command is a file named example.com.keyset containing a SIG and KEY record
for the ZONE example.com.
Chapter Overview 31